CVE-2024-39564: Juniper Junos BGP DoS Vulnerability

CVE-2024-39564 Overview

CVE-2024-39564 is a double-free vulnerability (CWE-415) in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated, network-based attacker can send a malformed Border Gateway Protocol (BGP) Path attribute update. The malformed update triggers allocation of memory used to log the bad path attribute, which is then freed twice. The double free causes rpd to crash, producing a sustained Denial of Service (DoS) condition on the routing plane. Juniper notes this is a similar but distinct issue from CVE-2024-39549.

Critical Impact

A single malformed BGP update can repeatedly crash the routing daemon on affected Junos OS and Junos OS Evolved devices, disrupting BGP-dependent network traffic.

Affected Products

• Juniper Junos OS: from 22.4 before 22.4R3-S4
• Juniper Junos OS Evolved: from 22.4 before 22.4R3-S4-EVO
• Devices running rpd with BGP peering enabled

Discovery Timeline

• 2025-02-05 - CVE-2024-39564 published to NVD
• 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2024-39564

Vulnerability Analysis

The flaw resides in the BGP path attribute handling logic of rpd. When rpd receives a malformed BGP Path attribute update, it allocates a memory buffer used to log the malformed attribute. An error-handling code path then frees the same buffer twice. The resulting double free corrupts heap metadata and causes rpd to terminate abnormally.

When rpd crashes, all BGP sessions on the device reset. Because the malformed update can be replayed, an attacker can keep rpd in a crash-restart loop. This denies service to all routing functions that depend on rpd, including BGP, IS-IS, OSPF, and label distribution.

The vulnerability is reachable over the network with no authentication and no user interaction. Exploitation requires the ability to send a BGP update to the target — typically from an established or attacker-influenced BGP peer, or via a compromised upstream router that propagates the malformed attribute.

Root Cause

The root cause is improper memory management in rpd's BGP error-logging path. The same allocation pointer is released by two distinct cleanup routines, violating the single-ownership invariant required for safe free() semantics. This pattern matches CWE-415: Double Free.

Attack Vector

An attacker with the ability to inject a crafted BGP UPDATE message into a session reaching the target sends a malformed Path attribute. The message must traverse to a vulnerable Junos device where rpd parses and attempts to log the attribute. The crafted update does not need to originate from a direct peer — propagation through intermediate BGP routers is sufficient if the malformed attribute is preserved. Public proof-of-concept code is not currently available for this CVE.

For full technical detail, refer to the Juniper Security Advisory JSA83011.

Detection Methods for CVE-2024-39564

Indicators of Compromise

• Unexpected rpd process crashes or core files on Junos OS or Junos OS Evolved devices, visible via show system core-dumps
• BGP sessions on the device transitioning to Idle or Active state without a configuration change
• Syslog entries referencing malformed BGP path attributes or rpd restarts
• Repeated BGP NOTIFICATION messages with UPDATE message error codes correlated with peer activity

Detection Strategies

• Monitor rpd process state and core-dump generation across all Junos and Junos Evolved devices
• Alert on BGP session flaps that affect multiple peers simultaneously, which indicates an rpd restart rather than a single peer issue
• Inspect BGP UPDATE messages at network telemetry collectors for unusual or non-standard path attribute encodings

Monitoring Recommendations

• Forward Junos syslog and rpd trace output to a centralized logging or SIEM platform and create alerts for rpd crash signatures
• Track BGP peer state changes with streaming telemetry (gNMI/OpenConfig) and correlate with control-plane CPU spikes
• Baseline normal BGP update patterns per peer and alert on unexpected NOTIFICATION traffic

How to Mitigate CVE-2024-39564

Immediate Actions Required

• Inventory all Junos OS and Junos OS Evolved devices in the 22.4 train and identify those running versions earlier than 22.4R3-S4 or 22.4R3-S4-EVO
• Schedule upgrades to a fixed release on devices that maintain external BGP sessions or transit BGP attributes from untrusted networks
• Restrict BGP peering to authenticated, trusted neighbors and review route policies that propagate unknown path attributes

Patch Information

Juniper has released fixed software in Junos OS 22.4R3-S4 and Junos OS Evolved 22.4R3-S4-EVO, and in subsequent releases. Customers should consult the Juniper Security Advisory JSA83011 for the complete list of fixed releases applicable to their deployed train.

Workarounds

• Limit BGP peering to known, trusted peers and enforce TCP-AO or MD5 authentication on BGP sessions
• Apply inbound BGP policy that rejects or sanitizes unknown or optional transitive path attributes where operationally feasible
• Use BGP bgp-error-tolerance features available in supported Junos releases to limit the blast radius of malformed updates

# Verify installed Junos version against the fixed release
show version | match Junos

# Inspect rpd crash history
show system core-dumps
show system processes extensive | match rpd

# Review BGP session stability
show bgp summary
show log messages | match "rpd|bgp_path_attr"